Internal

Global Glastopf statistics for June 2014

During the month of June the following information was obtained from Glastopf installations worldwide

Geographical spread

10 most popular injected files during the period

Short introduction to RFI:

“Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file or more serious events such as: Code execution on the web server .. “ source: Wikipedia

Hash

Hits

VirusTotal detection ratio

30a7bb30303f7da9ad102edc313dc80e

929

0 / 52

ab4d03072cc0532afc83d13854ed7e4f

577

22 / 49

474c4daeff3d82ae49d7c96acb8c0d84

514

21 / 53

9f67913d2c77545a4187053ad18230e4

496

7 / 52

369aab6f3a40d0259e6b036b68c27d25

411

7 / 54

10b5c4f77bbd80a3886e591dc3426198

267

N / A

6427bb17f4922b82c0147099429cfef9

203

3 / 53

be52cd4e8a8f6e42418c87d3468bba20

191

9 / 51

f922514cec9b9dc9c74b99ce9e39d3bc

164

15 / 53

46f5757064a2a0a081d6fd099f2916b5

159

18 / 46

Note: VirusTotal scan was performed on the 20:th of July 2014. N/A means that the injected binary was no longer present at it's original location and no sample could be acquired

Top pick from list of requested resources

Glastopf is a web application Honeypot which emulates vulnerabilities and lures the attacker that the requested service/application is vulnerable to gather data from attacks targeting web applications.

In an attempt to visualise the type of targets for these attacks we took the help of the public available resource: sitereview.bluecoat.com to categorise the targeted sites

Many of the sites categorised as not yet rated by the webfilter vendor, ended up being sites offering DDoS services, many of them protected by legit DDoS protection services.

WordPress wp.getUsersBlogs brute force attempts

Comment
We were able to quickly detect wp.getUserBlogs attempts when they "started",
now a month later there are several blog post describing the issue.

The first occurrences detected was on the 29:th of June, targeting only a limited amount of Honeypots and originated from two European countries.

About
"This attack is being made possible because many calls in the WordPress XMLRPC implementation required a
username and password. It these attacks, we are seeing wp.getUsersBlogs being used (and very few times
wp.getComments), but it could be other calls as well. If you provide a user and a password to them, it will reply back if
the combination is correct or not:" sucuri.net

Please see the URL below for more information about this vulnerabilityURL http://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html

This was a small excerpt from the collected data. I hope this encouraged you to continue to have hpfeeds enabled (or to enable it, if you have turned it off) on your honeypot/honeypots as the data gives a very valuable insight into current threats globally.

System reference:

“Glastopf is a Honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications. The principle behind it is very simple: Reply the correct response to the attacker exploiting the web application.”

For more information please visit:URL http://www.glastopf.org/index.php or https://github.com/glastopf/glastopf

All data was collected using hpfriends, for more information please visitURL http://hpfriends.honeycloud.net/